ietf-asrg
[Top] [All Lists]

Re: [Asrg] where the message originated

2009-01-14 13:02:12
On Wed, 2009-01-14 at 11:07 -0500, Chris Lewis wrote:
.

Our experience, issuing 55x at levels of 250,000-1,300,000 per day since
1997 indicates exactly the reverse.

Certainly, there's no way to prove that "it" (an infection) hasn't
happened, but considering we've had precisely _one_ report of a 55x (for
any reason whatsoever) landing in the forgee's mailbox in all that time,
it can't be significant.  In contrast to the dozen or so FPs per day
that we do handle.  Silently dropping emails would mean that those dozen
or so FPs would go unnoticed by anyone.

Interesting. At least there are some numbers here.

Just to check, are these 250K-1300K 5xx response *just* for messages
which have fallen foul of Anti-Virus checks (i.e. the number does not
include 5xx responses for other causes like invalid recipients).

As Alessandro Vesely has commented, this does seem a high AV FP rate.

How do you find out about the FP (since the message is, by definition,
rejected)? Obviously, if the sender simply resends, it would be rejected
again. So, there must be some other mechanism you have for finding out
that this particular message was not actually infected.

What kinds of message typically generate FPs? What AV signatures are
being hit by these FPs? How do you verify that the message is not
actually a problem?

Maybe we are lucky, but we do not see many messages which appear to be
infected - perhaps only 0.6% of the overall traffic. Nearly 90% of
received messages appear to be spam. Do you get a significantly higher
proportion of (purported) infected messages?

Although the number of reported infections from rejected messages is
just one, maybe this is not surprising. Firstly, there are clearly "out
there" a very large number of machines which are infected and the owner
either does not know or does not care. So, if any of these have been
infected as a result of one of your rejections, you would not know. Even
if the owner finds out their machine is infected, I would think it is
rare for them to try to trace the origin of the infection. The work
involved in getting their machine clean is probably enough for them. It
might involve re-installing the OS, which would probably wipe the
evidence.


_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg